Health Savings Account Fraud: The Rapidly Growing Threat

As income tax season comes to a close, financially-motivated cybercriminals are honing new tactics for monetizing medical PII.

While information security and anti-fraud teams remain on high-alert for potential indicators of income tax fraud, given the rapidly approaching April 18th filing deadline, a lesser-known yet serious threat with ties to both income tax fraud and 2016’s healthcare breaches continues to emerge: health savings account (HSA) fraud.

HSA fraud in and of itself is nothing new, but the threat has evolved substantially in credibility, complexity, and frequency since 2016. More specifically, the unprecedented surplus of stolen medical records currently offered for sale on Deep & Dark Web marketplaces has created financial difficulties for many cybercriminals who have traditionally relied on the profits generated from selling medical personal identifiable information or PII.

Threat actors who purchase so-called "fullz" or full listings of PII, typically utilize this data to commit various types of fraud. However, as demand for bulk medical fullz is not rising in tandem with the increased availability and declining sale prices of such information, many cybercriminals have sought out different ways of identifying the most valuable records for use in more profitable fraudulent activities such as HSA fraud.

This renewed interest in HSA fraud first emerged around September 2016, when one of the most prolific actors attacking healthcare institutions, known as "cr00k," suggested using stolen healthcare information to target valuable HSAs. Such attacks soon grew into an emerging trend among various low-tier cybercriminals in possession of medical PII. In order to identify higher-value HSA accounts, cybercriminals typically utilize various free credit reporting and financial management platforms to access victims’ credit scores and gauge their financial status.

To create or look up accounts on these types of platforms, cybercriminals must be in possession of the victim’s fullz, obtained from compromised healthcare institutions. Some cybercriminals use this information to target valuable HSAs directly whereas others may sell victims’ credit reports packaged with their medical fullz for substantially higher prices. cr00K in particular has been known to sell such information for HSA fraud for as high as $80-$100 per account record; accounts with higher credit scores tend to fetch higher prices, and vice versa.

Image Source: Lightspring via Shutterstock

In addition to the widespread availability of medical fullz on the Deep and Dark Web, the current composition of the US health insurance landscape may also be another factor contributing to cybercriminals’ renewed interest in HSA fraud. As health insurance costs continue to rise, more individuals are opting to purchase high-deductible health insurance plans, which tend to have less expensive monthly premiums.

HSAs are only available for individuals covered by high-deductible insurance plans, so as these plans become more popular, HSAs also become more popular. Recent estimates suggest that there are over 20 million existing HSA accounts that hold nearly $37 billion in assets, which represents a year-over-year increase of 22% for HSA assets and 20% for accounts. These figures raise concerns over the potentially larger population of individuals susceptible to HSA fraud, which remains more difficult for both victims and financial institutions to detect and mitigate for three reasons:

Access to victims’ fullz -- which typically include their social security numbers and mothers’ maiden names -- can enable fraudsters to change HSA account passwords, gain illicit access to funds, and transfer them from the account. To further evade detection and bypass financial institutions’ anti-fraud measures, some fraudsters even transfer HSA funds onto prepaid cards opened in the victim’s name.

Unlike other types of tax-free health-related accounts, HSA funds roll over from year to year, earn interest, and don’t expire. As such, many individuals treat HSAs like normal savings accounts and may not check their account balances routinely, if ever. In fact, numerous reports have surfaced from individuals who were not aware that their HSA accounts had been compromised until months later.

Not only does late detection of HSA fraud make it more difficult for financial institutions to investigate incidents and bring wrongdoers to justice, but a U.S. federal law holds financial institutions liable for lost funds only if the account holder reports the incident within 60 days of its occurrence.

Unfortunately for victims of HSA fraud, the abuse of their medical PII may continue to persist as financially motivated cybercriminals come to recognize that individuals with valuable HSAs may also be lucrative targets for income tax fraud. And while the IRS has strengthened anti-fraud measures in anticipation of increased levels of income tax fraud, cybercriminals with access to individuals’ medical fullz and credit reports can often leverage such information to bypass these measures.

For example, while the IRS has recently implemented a PIN system to reduce instances of identity theft and fraud, cybercriminals who have previously gained access to victims’ email accounts can reset and/or retrieve victims’ PINs via their emails. As an additional measure, the IRS also includes security questions such as "What is your mother’s maiden name?" which, again, may be easy for cybercriminals with access to victims’ medical fullz to answer and bypass.

The most effective way to avoid becoming a victim of HSA, tax, and other types of fraud is to prevent your PII from becoming compromised in the first place. However, we all know that this is far easier said than done. The reality is, the string of large-scale data breaches that struck the healthcare and other sectors in recent years has already inundated the Deep and Dark Web with millions of PII records, which means that many of us have already had our PII compromised in some capacity — whether we know about it or not. The best course of action to detect and mitigate any instances of fraud is to closely monitor the balances and activity within all our personal and financial accounts, including HSAs, bank accounts, credit reports, and tax returns. While it may be nearly impossible to prevent all instances of fraud, swiftly detecting and reporting potential indicators of compromise is integral to reducing the extent of any damages.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Vitali Kremez is director of research at Flashpoint. He specializes in researching and investigating complex cyberattacks, network intrusions, data breaches, and hacking incidents mainly emanating from the Eastern European cybercriminal ecosystem. He has earned the majority ... View Full Bio

Great article to show how hackers think ahead of us. As we are preparing to submit - hopefully with increased security- our taxes tomorrow, hackers are already looking at more lucrative personal information. The FSA are the next target and are not yet a commodity on the dark net based on the prices listed in this article.

We just have to brace oursleves and be extra vigilent about giving away our PII to too many organizations out there who really do not need it. For example: registration for my son kindergarten next year required a copy of his SSN. I refused to provide it to the school as there is absolutely no reason for them to store that data. They were cool with my answer...So yes we need to be vigilant and learn to say "no, sorry. You have to prove me you need that information from me before i hand it to you."

Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.

An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...

A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...

An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page &quot;/ui/cbpc/login&quot; is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie &quot;sid&quot; generated by the page. The attacker will have acc...